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DB2 Security Mechanisms 


= There are three main mechanisms within DB2 that allow a DBA to 
implement a database security plan: 


— Authentication 


e DB2 authentication works closely with the security features of the 
underlying operating system to verify user IDs and passwords 
— Authorization 
* Authorization involves determining the operations that users and/or 
groups can perform, and the data objects that they may access 
— Privileges 
* Privileges help define the objects that a user can create or drop. 
They also define the commands that a user can use to access objects 
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DB2 Authentication 
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DB2 Authentication Vs. Authorization - 


YT | [| | [TLT] 
Authorization: || {| | [| |) 
Does Linda have an L| LI | ff | 
A A authorization to 
® DB2 uses a combination of: 


perform SELECT on 
an ^ua a? 


— External security service 


. . Authentication: 
— Internal access control information | Sprite 


correct password 


dan db2 connect to mydb user 
. . l linda usi d 
* Authentication A dod 
— Identify the user 


* Check entered username and password 


— Done by security facility outside DB2 (Part of the OS, DCE, Kerberos ...) 
* Authorization 


— Check if authenticated user may perform requested operation 
— Done by DB2 facilities 


e Information stored in DB2 catalog, DBM configuration file 
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DB2 Authentication 


DB2 authentication controls the following aspects of a database 
security plan: 


— Who is allowed access to the instance and/or database 
— Where and how a user's password will be verified 


It does this with the help of the underlying operating system 
security features whenever an attach or connect command is 
issued 


— An attach command is used to connect to the DB2 instance 


— Aconnect command is used to connect to a database within a 
DB2 instance 
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DB2 Authentication Types 


* Authentication types are used by DB2 to determine where 
authentication is to take place 


* The following table summarizes the available DB2 authentication 
types 


SERVER Authentication takes place on the server 


SERVER_ENCRYPT Authentication takes place on the server. Passwords 
are encrypted on the client before being sent to the 
server 


CLIENT Authentication takes place on the client machine 


KERBEROS Authentication is performed by the Kerberos security 
software 


KRB_SERVER_ENCRYPT Authentication is performed by Kerberos security 
software if the client setting KERBEROS. Otherwise, 
SERVER, ENCRYPT is used 
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Setting Authentication On The Server 


* Authentication is set on the database server within the Database 
Manager Configuration (DBM CFG) file using the AUTHENTICATION 
parameter 


Example: 


— To view the authentication parameter in the configuration file 
db2 get dbm cfg 


— To alter the authentication parameter to SERVER. ENCRYPT: 
db2 update dbm cfg using authentication SERVER. ENCRYPT 
db2stop 
db2start 
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Setting Authentication On The Client 


* The client authentication setting must match that of the database 
server to which the client is connecting 


— (with the exception of KRB. SERVER. ENCRYPT) 


* Client authentication is set using the catalog database command 
* Example: 
- Let's assume the server authentication type is set to SERVER. The 


following command would then be issued to catalog the server 
database named sample: 


db2 catalog database sample at node nd1 authentication server 


- |f the authentication type is not specified, the client will try to use 
SERVER. ENCRYPT by default 
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Dealing With Untrusted Clients 


If the server or gateway machine has authentication set to CLIENT, 
this implies that the client is expected to authenticate a user's ID and 
password 


However, some client machines may not have operating systems with 
native security features 


- Such untrusted clients include DB2 clients running on Windows 98 


There are two additional parameters in the DBM CFG file used to 
determine where authentication should take place when the server or 
gateway authentication method is set to CLIENT and untrusted clients 
are attempting to connect to the database or attach to the DB2 
instance 


— TRUST. ALLCLNTS 


- TRUST. CLNTAUTH 
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Dealing With Untrusted Clients (Cont'd) 


a TRUST ALLCLNTS 
— Decide whether to trust all clients 


e YES: All clients, whether or not they are trusted, are forced to 
authenticate at the client 


e NO: All untrusted clients will be authenticated at the server 
(meaning that a user ID and password must be provided) - all trusted 
clients will be authenticated at the client machine 


* DRDAONLY: Trust only clients that are running on iSeries or zSeries 


platforms (i.e., DRDA clients) - any other clients must provide user ID 
and password 
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Dealing With Untrusted Clients (Cont'd) 


= TRUST. CLNTAUTH 


- Where will the authentication take place when a user ID and password 
are supplied and authentication type is CLIENT 


* CLIENT: Authentication is done at the client; a user ID and password 
are not required 


e SERVER: Authentication is done at the server if a user ID and 
password are supplied 
If no user ID and password are supplied, the authentication will take 
place at the client 
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Database Authentication — Example 


=» UPDATE DBM CFG USING AUTHENTICATION SERVER, ENCRYPT 
— db2 connect to sample 


* Only possible on database server 


e All clients will be authenticated at the Server - no connect possible 
without supplying user ID and password from a client machine 
Connection data is send encrypted from the client to the server 


=» UPDATE DBM CFG USING AUTHENTICATION CLIENT THRUST_ALLCLNTS 
NO 


— db2 connect to sample user john using pass 


e Authentication on trusted Client 
e All untrusted clients will be authenticated at the Server 
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Database Authentication — Example 


=» UPDATE DBM CFG USING AUTHENTICATION CLIENT THRUST_ALLCLNTS 
NO TRUST_CLNTAUTH CLIENT 


— db2 connect to sample user john using pass 
e Authentication on Client 

— db2 connect to sample 
* Authentication on Client 


= UPDATE DBM CFG USING AUTHENTICATION CLIENT THRUST_ALLCLNTS 
NO TRUST_CLNTAUTH SERVER 


— db2 connect to sample user john using pass 
e Authentication on Server 
— db2 connect to sample 


e Authentication on Client 
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Database Authentication — Windows 


1. 


2 
5 


DB2 for Windows exploits the native Windows security system to 
authenticate users 


DB2 uses Windows to attempt to authenticate a user in the following 
order of user information: 


Local Security Access Manager (SAM) 
. Domain Controller 
. Trusted Domain Controller 


Example: 

If the authentication type is SERVER, the DB2 server attempts to authenticate the 
user at the server machine 

If the user is not defined in the server machine's SAM, the authentication will be 
attempted on the domain controller 

If the user is not defined on the domain controller, the domain controller of the 
trusted domains is used 

If the user is not defined in the trusted domain, the authentication will fail 


Introduction to DB2 - 4. Database Security ON DEMAND BUSINESS" 


| IBM Software Group 


Authentication In A SAP Environment 


A 


Connect to SID user SAP<SID> using PASSWORD 


«pum Coxosd 


Introduction to DB2 - 4. Database Security ‘ON DEMAND BUSINESS" 


User: 
<SID>ADM 


| IBM Software Group 


Authentication In A SAP Environment (Cont'd) 


* InaSAP environment, the disp+work processes are connected to the 
database as user sapr3/ sap<sid> 


- Some database operations are also performed by user «sid»adm 


* Because an interactive logon is not possible, an encrypted password 
file is used to allow users access to the database 


® The password file is called dscdb6.conf and is located in the global 
directory of the /usr/sap file system 


- The db2<sid> user needs read access to the password file 
® The password file is created by using the csccbéup tool 


— Please remember: Once you change the password of sapr3/sap<sid> 
and/or <sid>adm on the operating system level you must also 
update the dscdbó.conf file 
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DB2 Authorities 
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DB2 Authorities — Overview 


* DB2 authorities control the following aspects of a database security 
plan: 


— The authority level that a user is granted 
— The commands that a user is allowed to run 
— The data that a user is allowed to read and/or alter 


— The database objects a user is allowed to create, alter, and/or drop 
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DB2 Authorities — Overview (Cont'd) 


* Authorities are made up of groups of privileges and higher-level 
database manager (instance-level) maintenance and utility operations 


— SYSADM, SYSCTRL and SYSMAINT are instance-level authorities 


* These authorities can only be assigned to an (operating system) 
group; you can do so through the DBM CFG file 


- The DBADM and LOAD authorities are assigned to a user or group for a 
particular database 


e This can be done explicitly using the GRANT command 
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DB2 Authorities 


Can access 
data 


Cannot 
access data 


e Ownership (Control) 
e /ndividual 
e /mplicit 
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Obtaining Database Authorities 


= Instance-level authorities 


- The authorities SYSADM, SYSCTRL, and SYSMAINT are associated with 
groups and are specified at the instance level 


* UPDATE DBM CFG USING SYSADM_GROUP <GROUP1> 
every user ID that is a member of group1 will have SYSADM 
authority on this instance 


e UPDATE DBM CFG USING SYSCTRL_GROUP <GROUP2> 
e UPDATE DBM CFG USING SYSMAINT_GROUP <GROUP3> 


Introduction to DB2 - 4. Database Security 'ON DEMAND BUSINESS" 


| IBM Software Group 


Obtaining Database Authorities (Cont'd) 


= DBADM Authority 


-The creator of a database will automatically have DBADM authority 
for the new database; Other users may be granted the DBADM 
authority by a SYSADM user: 


* GRANT DBADM ON DATABASE TO USER <USER1> 
® LOAD Authority 


— Only users with either SYSADM or DBADM authority are permitted to 
grant or revoke LOAD authority to users or groups 


e GRANT LOAD ON DATABASE TO USER <USER1> 
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Database Authority Summary 


Te REATE/DROP/ALTER TABLE SPACE | ves | YE T] OOOO 
TRESTORETONEW DATABASE [| ves | ves |_| —— 
KLAN | es | YES | ves ——3 
BACKUP DATABASE or TABLE SPACE | ves | s [f ves | — — 
T RESTORE TO EXITING DATABASE | ves | E | ves JOO O 


YES YES 


YES 
YES Y YES YES 


R 
CREATE /ACTIVATEJ/DROP EVENT MONITORS 
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Database Authority — Windows Considerations 


* Ina Windows domain environment, a group list for the authenticated 
user is enumerated at the machine where the authentication is done 


® The DB2 GRP LOOKUP registry variable allows to specify where the 
list of groups a user belongs to should be enumerated: 


- LOCAL: At the DB2 server the list of groups is enumerated using the 
local SAM at the DB2 server 


* By setting this value, the database administrator does not need to 
have the administrative authority for Windows domains 


— DOMAIN: DB2 will always enumerate groups and validate user 
accounts on the user account’s Windows domain 
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DB2 Privileges 
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Authorities And Privileges 


=| SYSCTRL 
SYSMAITNT 


Authorities 


Privileges 


CREATETAB BIND ADD CONNECT : co TRO CONTROL 
(Database) (Database) (Database) W Ti (Tables) (Views) 


LOAD Table space 
(Database) Owner 


IMPLICIT, SCHEMA 
(Database) 
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Resources: Privileges Required 


RESOURCE NEEDED TO CREATE NEEDED TO CONTROL|OTHER PRIVILEGES 


Database SYSADM DBADM | CONNECT | 
SN SCELRE BINDADD 
CREATETAB 
NOFENCE 
IMPLICIT SCHEMA 


Package BINDADD CONTROL BIND 
EXECHTE 


Table (T) CREATETAB (T) CONTROL 


View (V) CONTROL OR SELECT (V) INSERT (TW) 


DELETE (TW) 
UPDATE (TN) 
ALTER (T) 

INDEX (T) 
REFERENCES (T) 


SYSADM Schema Owner CREATEIN 
DBADM AL TERIN 
IMPLICIT SCHEMA DRO PIN 
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Grant Command - Table, View Privileges Support 


PRIVILEGES 


PPD GRANT ALL 
, 


ALTER 
CONTROL 
DELETE 
| NDEX 
I NSERT 


REFERENCES 
( j column- name l, 
SELECT 
col um- na me dl, 


UPDATE 
TABLE D 
5»—— ON table-name ——TO0 ~y authorization-name l, 
a Ed 
vi ew-name GROUP 


PUBLIC 


WITH GRANT OPTION 


‘ON DEMAND BUSINESS” 
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Grant Explicit Privileges 


® Granting a privilege with grant option allows the authorization ID to 


extend the specified privilege to others 


— This option is only available to package, routine, schema, table, 
table space, and view 


Although the grant privilege is extended, the revoke privilege is not. 
If privileges are received through the with grant option, a user will 
not be able to revoke the privileges from others 


Example 


- This statement allows john to perform select, update, or delete 
operations on the table employee and to grant any of these 
privileges to others: 
db2 grant select, update, delete on table employee to user john 
with grant option 
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Example — Controlling Use Of Schemas 


= Schemas are named collection of objects 
— Forms high-order part of objects with a two part name 


* User with DBADM authority creates schema PAY for user MEL 
— CREATE SCHEMA PAY AUTHORIZATION MEL 


* Mel can create objects in schema pay 
— CREATE TABLE PAY.T1 (COL1 INT) 


* Mel can grant privileges to other users: 
— GRANT CREATEIN ON SCHEMA PAY TO USER CAL 
— GRANT ALTERIN, CREATEIN, DROPIN ON SCHEMA PAY TO 
— GROUP G1 WITH GRANT OPTION 


* Achieving greater schema control: 


— REVOKE IMPLICIT SCHEMA ON DATABASE FROM PUBLIC 
— GRANT IMPLICIT. SCHEMA ON DATABASE TO USER JON 
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Individual IDs, Group IDs And Public 


Individual ID 


Group ID 


public: 
allusers 


ENS AE etait PUBLIC is a special DB2 group that 
SYSCAT.PACKAGEAUTH includes all users of a particular database; 
SYSCAT TABAUTH 


PUBLIC does not have to be defined at the 
SYSCAT.COLAUTH O/S level 
SYSCAT.SCHEMAUATH 
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Group And User Support 


os. 
or 
Windows NT 


User-cal 


GRANT SELECT ON TABLE EMPLOYEE TO CAL 
7 -0r - 
GRANT SELECT ON TABLE EMPLOYEE TO USER CAL 


GRANT SELECT ON TABLE EMPLOYEE TO CAL 
2 - or - 


GRANTSELECTON TABLE EMPLOYEE TO GROUPCAL 


3 X GRANT SELECT ON TABLE EMPLOYEE TO CAL—LOLCODE -569 


Introduction to DB2 - 4. Database Security ‘ON DEMAND BUSINESS" 


| IBM Software Group 


Implicit Privileges 


=» CREATE DATABASE 
— Internal GRANT of DBADM authority with CONNECT, CREATETAB, 


— BINDADD, CREATE_NOT_FENCED, LOAD and IMPLICIT SCHEMA privileges to creator 
(SYSADM or SYSCTRL) 


Internal GRANT of BINDADD, CREATETAB, CONNECT and IMPLICIT_SCHEMA to PUBLIC 
BIND and EXECUTE privilege on each successfully bound utility to PUBLIC 
SELECT on system catalog tables and views to PUBLIC 
— USE privilege on USERSPACE1 table space to PUBLIC 
=» GRANT DBADM 


— Internal GRANT of BINDADD, CREATETAB, CONNECT, CREATE. NOT. FENCED, LOAD and 
IMPLICIT. SCHEMA 


® Create object (table, index, package) 
- |nternal GRANT of CONTROL to object creator 


® Create view 


— Internal GRANT to intersection of creator's privileges on base tables to view creator 
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Indirect Privileges 


* Privileges can be obtained indirectly when packages are executed by 
the database manager 
— A package contains one or more SQL statements in an executable format 


— If all the statements in the package are static, a user would only require 
EXECUTE privilege on the package to successfully execute the statements in 
the package 


Example: Assume db2package7 executes the following static SQL 
statements: 

db2 select * from org 

db2 insert into test values (1, 2, 3) 


- In this case, a user with EXECUTE privilege on ab2package 7 would indirectly 
be granted SELECT privilege on the table org and INSERT privilege on the 
table test 
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Query Privileges Granted To Current ID 


db2 PEL CT FROM SYSCATTABAUTH WHERE GRANTEE IN (USER, 'PUBLIC")" 
dbZ get authorizations 


"Rounding up Privileges" 
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Grant/Revoke Scenarios 1/4 


GRANT DBADM ON DATABASE TO USER SI1ADM 


Get Authorizations 


Administrative Authorizations for Current User 


Direct SYSADM authority - NO 
Direct SYSCTRL authority 

Direct SYSMAINT authority 

Direct DBADM authority 

Direct CREATETAB authority 

Direct BINDADD authority 

Direct CONNECT authority - YES 
Direct CREATE. NOT. FENC authority 
Direct IMPLICIT SCHEMA authority 
Direct LOAD authority - YES 


Indirect SYSADM authority - NO 
Indirect SYSCTRL authority - YES 
Indirect SYSMAINT authority 

Indirect DBADM authority 

Indirect CREATETAB authority 

Indirect BINDADD authority 

Indirect CONNECT authority - NO 
Indirect CREATE. NOT FENC authority = NO 
Indirect IMPLICIT. SCHEMA authority - YES 
Indirect LOAD authority - NO 
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Grant/Revoke Scenarios 2/4 


REVOKE DBADM ON DATABASE FROM USER SIDADM 


Get Authorizations 


Administrative Authorizations for Current User 


Direct SYSADM authority 

Direct SYSCTRL authority 

Direct SYSMAINT authority 

Direct DBADM authority 

Direct CREATETAB authority 

Direct BINDADD authority 

Direct CONNECT authority = YES 
Direct CREATE_NOT_FENC authority 
Direct IMPLICIT SCHEMA authority 
Direct LOAD authority = YES 


Indirect SYSADM authority =NO 
Indirect SYSCTRL authority = YES 
Indirect SYSMAINT authority 

Indirect DBADM authority 

Indirect CREATETAB authority 

Indirect BINDADD authority 

Indirect CONNECT authority =NO 
Indirect CREATE_NOT_FENC authority =NO 
Indirect IMPLICIT. SCHEMA authority = YES 
Indirect LOAD authority =NO 
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Grant/Revoke Scenarios 3/4 


REVOKE BINDADD ON DATABASE FROM USER SIDADM 


Get Authorizations 


Administrative Authorizations for Current User 


Direct SYSADM authority 

Direct SYSCTRL authority 

Direct SYSMAINT authority 

Direct DBADM authority 

Direct CREATETAB authority 

Direct BINDADD authority 

Direct CONNECT authority = YES 
Direct CREATE. NOT. FENC authority 
Direct IMPLICIT SCHEMA authority 
Direct LOAD authority - YES 


Indirect SYSADM authority - NO 
Indirect SYSCTRL authority - YES 
Indirect SYSMAINT authority 

Indirect DBADM authority 

Indirect CREATETAB authority 

Indirect BINDADD authority 

Indirect CONNECT authority - NO 
Indirect CREATE. NOT FENC authority = NO 
Indirect IMPLICIT. SCHEMA authority - YES 
Indirect LOAD authority - NO 
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Grant/Revoke Scenarios 4/4 


GRANT DBADM ON DATABASE TO USER SI1ADM 


Get Authorizations 


Administrative Authorizations for Current User 


Direct SYSADM authority - NO 
Direct SYSCTRL authority 

Direct SYSMAINT authority 

Direct DBADM authority 

Direct CREATETAB authority 

Direct BINDADD authority 

Direct CONNECT authority - YES 
Direct CREATE. NOT. FENC authority 
Direct IMPLICIT SCHEMA authority 
Direct LOAD authority - YES 


Indirect SYSADM authority - NO 
Indirect SYSCTRL authority - YES 
Indirect SYSMAINT authority 

Indirect DBADM authority 

Indirect CREATETAB authority 

Indirect BINDADD authority 

Indirect CONNECT authority - NO 
Indirect CREATE. NOT FENC authority = NO 
Indirect IMPLICIT SCHEMA authority - YES 
Indirect LOAD authority - NO 
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Query Who Has Which Privileges 


= Most of the information on authorizations is maintained in seven system 
catalog tables: 


— SYSCAT.DBAUTH Database privileges 

— SYSCAT.COLAUTH Table and View Column privileges 
- SYSCALINDEXAUTH Index privileges 

— SYSCAT.PACKAGEAUTH Access Package privileges 

— SYSCAT.SCHEMAAUTH Schema privileges 

— SYSCAT.TABAUTH Table and view privileges 

— SYSCAT.TBSPACEAUTH Table space privileges 


— SYSADM, SYSCTRL and SYSMAINT authority and group membership are 
defined outside Database Manager and are therefore not reflected in system 
catalogs 
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